[Fleet] Add warning if need root integrations trying to be used with unprivileged agents

[juliaElastic]

Summary

Closes https://github.com/elastic/ingest-dev/issues/3252

Add integration

Added warning to Add integration when the integration requires root privilege and the selected existing agent policy has unprivileged agents enrolled.

To verify:

• enroll an agent with docker (it has unprivileged: true)
• try to add an integration that requires root e.g. auditd_manager
• verify that when trying to save the integration, the warning callout is part of the confirm deploy modal

Add agent flyout

Added warning to Add agent flyout when an unprivileged agent is detected in combination with an agent policy that has integrations requiring root

To verify:

• add an integration to an agent policy that requires root e.g. auditd_manager
• open Add agent flyout, verify that the warning callout is visible

Open question:

• Do we want to show the warning on Add agent flyout only for newly enrolled agents (in the last 10 mins like we query enrolled agents), or any unprivileged agents that are enrolled to this policy?
  • Decision: No longer applicable as we decided to not show a count here

Checklist

• Unit or functional tests were updated or added to match the most common scenarios

[ghost]

🤖 GitHub comments

Expand to view the GitHub comments

Just comment with:

• /oblt-deploy : Deploy a Kibana instance using the Observability test environments.
• run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

[juliaElastic]

/ci

[juliaElastic]

/ci

[juliaElastic]

/ci

[juliaElastic]

/ci

[elasticmachine]

Pinging @elastic/fleet (Team:Fleet)

[kilfoyle]

LGTM for the text! 👍

[juliaElastic]

I'm going to add UI tests

[jen-huang]

above in this file, there is another modal nested under formState === 'CONFIRM'

I'm concerned about potential conflicts with that modal since this one is outside of that conditional. can formState be part of the condition for opening this modal?

btw, if we continue to use isConfirmModalOpen, it should probably be renamed because there are multiple confirm modals in this flow and this is only for the unprivileged modal

[nchaulet]

LGTM 🚀

[jen-huang]

A few UX suggestions.

For the Add agent flyout, I think it would be good to also notify the user before the attempt installation that the selected policy needs privileged agents. How about we put this just before the installation commands code block? That way it can appear on the standalone agent installation instructions too:

[jen-huang]

when I add auditd to an existing policy with an unprivileged agent is such that I get this modal first, I click Add integration, and I get the second Save and deploy changes confirmation modal. this seems like a UX anti-pattern.

is it possible to merge these two modals? since both modals are conditional on if there are already agents enrolled into the selected policy, we could have the unprivileged warning callout below the blue callout if there are some unprivileged agents:

WDYT? and sorry for the review churn - I should have commented on this behavior in my initial review 😅

[juliaElastic]

Good point, showing two modals is not ideal indeed. I'll update.

[juliaElastic]

Merged the two modals:

[juliaElastic]

For the Add agent flyout, I think it would be good to also notify the user before the attempt installation that the selected policy needs privileged agents. How about we put this just before the installation commands code block? That way it can appear on the standalone agent installation instructions too:

Good point, I'll move it.
I think we should eventually add to the instruction how to enroll an agent in unprivileged mode.

I moved the callout before the install commands, do we still want to show how many unprivileged agents are enrolled? If there are no unprivileged agents yet, we can show a generic warning:

If there are unprivileged agents:

[kpollich]

do we still want to show how many unprivileged agents are enrolled?

I don't know how useful the count is in this scenario without also listing out each agent ID or something along those lines. Maybe we can opt to exclude it for now and revisit this callout with some technical writing/UX eyes. One thing that comes to mind: would we want to give the user a link to a pre-filtered agents table view that shows the agents in question so they can take action and then come back to the enrollment flow? As it stands, I think unless we are providing clear call to actions this callout is mainly informative, and we're not driving the user to take action. This is okay for the initial scope here, imo.

@juliaElastic - would it be possible to render the list of integrations in a <ul> instead of as a comma separate string? I foresee an edge case where there 10+ integrations that fall into this case on a large policy and callout starts to look a bit messy. We could put the list of offending integrations after the main callout text, maybe with some wording tweaks e.g.

This agent policy contains the following integrations that require Elastic Agents to have root privileges.
To ensure that all data required by the integrations can be collected, reenroll the agents using an account with root privileges. 

- Auditd Manager
- ...
- ...

[juliaElastic]

I don't know how useful the count is in this scenario without also listing out each agent ID or something along those lines. Maybe we can opt to exclude it for now and revisit this callout with some technical writing/UX eyes. One thing that comes to mind: would we want to give the user a link to a pre-filtered agents table view that shows the agents in question so they can take action and then come back to the enrollment flow? As it stands, I think unless we are providing clear call to actions this callout is mainly informative, and we're not driving the user to take action. This is okay for the initial scope here, imo.

Thanks for the suggestions, I agree that it's not that useful to show the count of unprivileged agents if not actionable. I'll remove it for now. cc @nimarezainia

I'll change the callout to show a list of integrations.

Updated:

[jen-huang]

The UI changes look great, thanks for making them @juliaElastic :)
Agree with the decision to remove the count from agent enrollment flyout.

I pulled the screenshots you provided to the PR description.

I tested locally 👍

[nimarezainia]

I moved the callout before the install commands, do we still want to show how many unprivileged agents are enrolled? If there are no unprivileged agents yet, we can show a generic warning:

IMO it doesn't hurt to show the number of agents. More information is always better. Also could help with troubleshooting if there are issues.

[juliaElastic]

IMO it doesn't hurt to show the number of agents. More information is always better. Also could help with troubleshooting if there are issues.

I would leave it as is for now, we can adjust the UI later if needed.

[kibana-ci]

💚 Build Succeeded

• Buildkite Build
• Commit: 16debbc

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
fleet	1011	1013	+2

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
fleet	1187	1188	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
fleet	1.3MB	1.3MB	+4.0KB

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
fleet	164.4KB	164.6KB	+189.0B

Unknown metric groups

API count

id	before	after	diff
fleet	1308	1309	+1

History

• 💔 Build #211117 failed 25de4b1
• 💚 Build #210782 succeeded dc54eff
• 💔 Build #210758 failed dbcf8a3
• 💚 Build #210714 succeeded 2b2fe93
• 💔 Build #210661 failed 1841922

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

cc @juliaElastic